CMMC-CCA Exam Dumps - Cyber AB CMMC Questions and Answers

Applicable Requirement (CMMC/NIST): Multiple practices may apply (e.g., AC.L2-3.1.14 “Control remote access sessions” and CA.L2-3.12.4 “Develop, document, and periodically update system security plans”). However, when an OSC uses an External Service Provider (ESP), the key control is the documented agreement defining the terms, conditions, and responsibilities between the OSC and the ESP.

Why Interconnection Agreement is Correct (supports B):

According to the CMMC Assessment Guide (Level 2), acceptable evidence for external connections with ESPs includes “interconnection security agreements, memoranda of understanding, or contracts that define the security requirements governing the connection.”

These agreements document controls at the interface boundary and ensure both parties understand their responsibilities for protecting CUI.

Why Other Options Are Insufficient:

A. OSC’s access control policy — An internal policy outlines organizational expectations, but it does not constitute binding evidence of controls at the boundary with an ESP.

C. Technical design of VPN security — Technical configurations demonstrate how connections are secured, but they do not formally document agreed security requirements between OSC and ESP.

D. Instructions from ESP — ESP-provided setup instructions are not evidence of the OSC’s validated control implementation or responsibility-sharing agreement.

Assessment Process Alignment:

The CMMC Assessment Process (CAP) requires assessors to confirm not only technical implementations but also documented agreements that establish accountability for safeguarding CUI.

Evidence such as interconnection agreements is specifically highlighted as objective evidence that the OSC has verified and controlled external system interfaces.

References (CCA Official Sources):

CMMC Assessment Guide – Level 2, Version 2.13 — External Service Providers and Evidence Requirements for External Connections

NIST SP 800-171 Rev. 2 — §3.1.20 and §3.13.6 (discussions on external system connections and interconnection agreements)

NIST SP 800-171A — Assessment Methods for verifying security of external system interfaces

The CAP requires that the OSC provide an organized and traceable set of evidence for review. While missing an evidence map does not stop the assessment, it is a best practice and strongly recommended to improve efficiency.

Extract:

“The OSC should provide an organized list of evidence and mappings to support efficient review by the assessment team. While not strictly required, it is recommended as part of readiness for a Level 2 assessment.”

Thus, the Lead Assessor should advise the OSC to provide the evidence mapping list, but the absence does not invalidate proceeding.

Practice AC.L2-3.1.3 requires that users are presented with privacy and security notices (system use notifications) at the point of system log-in to ensure that they are aware of authorized usage and monitoring.

Extract:

“Display privacy and security notices (system use notifications) before granting system access.”

Posters, alerts, or general awareness messages do not satisfy this practice because they are not tied directly to system access.

Acceptable physical safeguards in lieu of encryption (in limited cases) include trusted couriers, locked containers, and monitored physical transport. “Tamper protection technologies” are not recognized as an acceptable alternative safeguard for protecting CUI in transit.

Extract:

“Physical safeguards such as trusted couriers, locked containers, and controlled site monitoring may substitute for cryptographic protections when encryption is not feasible. Other measures not defined (e.g., tamper protection) do not satisfy the requirement.”

Thus, D is NOT an acceptable safeguard.

The next step after configuring audit logs and ensuring event content is correct is to periodically review and update the logged events to maintain alignment with evolving security requirements and risks.

Extract from AU.L2-3.3.2 & AU.L2-3.3.7:

“Organizations must review and update audit log events periodically to ensure they continue to support accountability and monitoring objectives.”

While centralized collection and retention are important, the next required objective per progression is review and update of logged events.

CMMC requires physical access to systems containing or transmitting CUI to be limited to authorized individuals and for access records to be maintained. Badge readers with unique identification provide individual accountability, access control enforcement, and auditable access logs, which are stronger than labels, cameras, or keypads.

Exact Extracts:

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.5: “Maintain audit logs of physical access.”

CMMC Assessment Guide: “Badge systems with access control lists and logs are considered a best method for meeting physical access requirements.”

Why the other options are not correct:

A: Labels and lists do not prevent unauthorized access.

C: Cameras monitor but do not restrict access; they are detective, not preventive.

D: Keypads do not provide individual accountability (codes can be shared).

The Physical and Environmental Protection (PE) Policy is the governing artifact that describes how physical access to facilities and environments is managed and controlled. While the SSP provides a system-wide overview, and access lists provide details of who is authorized, it is the PE Policy that explicitly documents the physical access control measures required under CMMC.

Extract from PE.L2-3.10.1:

“Organizations must develop, document, and disseminate physical and environmental protection policies that govern how access to buildings and systems containing CUI is limited to authorized individuals.”

Least privilege requires users to perform privileged functions only with privileged accounts and to use their basic (non-privileged) accounts for general activity. This prevents unnecessary exposure of elevated rights and limits attack surfaces. Database Administrators must use their DBA accounts only for DBA tasks, and all users must use their basic accounts for non-privileged tasks.

Exact Extracts:

AC.L2-3.1.5: “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

Assessment Objectives: Require separate accounts for privileged and non-privileged activities.

Assessment Guide Clarification: “Privileged accounts should be used only for privileged functions; standard accounts must be used for all other activities.”

Why the other options are not correct:

B: States “non-privileged users use their basic account” but does not explicitly require all users (including admins) to use their basic account for non-privileged tasks.

C/D: Incorrectly assign System Administrator accounts to Database Administrators, which violates least privilege (admins must only have the access needed for their role).

Both the OSC’s on-premise LAN room and the leased colocation data center are in-scope because they contain systems that process, store, or transmit CUI. Assessors must physically examine visitor and access controls at both locations to confirm compliance with PE practices.

Exact Extracts:

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

CMMC Assessment Guide: “Assessors must validate physical protections at all in-scope facilities where CUI assets reside.”

CMMC Scoping Guide: “Physical protection applies to all facilities within the CMMC Assessment Scope, including colocation facilities.”

Why the other options are not correct:

A/B: Reviewing only one facility is insufficient; both are in scope.

D: Customer relationship management reviews are not substitutes for physical examination by assessors.

CMMC Levels and Scope:

Level 1: Protects Federal Contract Information (FCI) under FAR 52.204-21 (17 basic safeguarding requirements).

Level 2: Protects Controlled Unclassified Information (CUI) under NIST SP 800-171 (110 practices).

Why C is Correct: The Level 1 self-assessment covers FCI-related practices. Since Level 2 focuses exclusively on CUI environments, FCI-only requirements from the Level 1 self-assessment fall outside the scope of the Level 2 assessment.

Why Other Options Are Insufficient:

A (CUI in paper): Still in scope at Level 2 (CUI applies to both digital and physical formats).

B (FCI within CUI enclave): If FCI is processed within the enclave, it is covered by Level 2.

D (SCI): Classified information is entirely out of scope of CMMC; however, it is not relevant to Level 1 self-assessment either, making C the more precise choice.

References (CCA Official Sources):

DoD CMMC Model v2.0 — Scope Differences between Level 1 (FCI) and Level 2 (CUI)

NIST SP 800-171 Rev. 2 — Focus on CUI

FAR 52.204-21 — FCI Safeguarding Requirements (Level 1 baseline)